Computer systems are used by Licensed Persons to process large numbers of transactions and provide quality service to its customers. While efficiency of processing transactions is the main objective of computerizing operations of a Licensed Person, the security of customer information and related transaction data is vital. Licensed Persons must not compromise in introducing information security measures appropriate to the complexity and size of their business. This Chapter contains a few illustrative (but not exhaustive) security measures which all Licensed Persons must implement at a minimum at all times. Additional measures must be introduced depending on the size and the complexity of the business and considering the results of penetration tests and IT audits by external experts.

1. 14.1.1Independent email exchange systems must be in use for all official communications by the Licensed Person and its employees. Public emails (example: Yahoo, Gmail, etc.) must not be used under any circumstances;
2. 14.1.2The Licensed Person must have a dedicated email ID styled cbuae@abcexchange.com or cbuae@abcexchange.ae for communicating with the Central Bank. The Central Bank will restrict sending or receiving communications only to/from such designated emails IDs;
3. 14.1.3The Licensed Person must inform their designated email ID to the Banking Supervision Department in writing under the signature of its authorized signatory; and
4. 14.1.4Employees must be prohibited from using office computer systems for accessing private emails, social networking sites or websites that are not related to the business, (example: Yahoo, Gmail, Hotmail, Facebook, etc.).

1. 14.2.1An Information security policy must be implemented prescribing controls on usage of emails, internet browsing, passwords, workstations, data communication, network security, etc.;
2. 14.2.2The Information security policy must be approved by the Board of Directors (or by the Owner/Partners where there is no Board of Directors) and must be communicated to all employees and obtain their acknowledgement; and
3. 14.2.3Information security policy must be reviewed annually at a minimum.

1. 14.3.1All User IDs in the Point of Sale system, email and computer systems must be created only by the designated IT person;
2. 14.3.2A Separate user ID must be created for each employee and users shall not be allowed to share their User IDs in order to preserve the segregation of duties;
3. 14.3.3“Administrator rights” must be restricted only to authorized IT persons and must be restricted in number;
4. 14.3.4User names of employees who resign must be de-activated immediately upon them leaving the Licensed Person;
5. 14.3.5Emails of an employee, who has resigned, may be diverted to another employee, if necessary, with the special approval of the Manager in Charge and this must be covered in the IT policy; and
6. 14.3.6Privileges assigned to the users must be reviewed at regular intervals and ensure the timely removal of unnecessary privileges.

1. 14.4.1Work stations and all applications must have appropriate and needs based access controls with user names and passwords;
2. 14.4.2The password must be of sufficient length, preferably eight digits or above, and must be alpha numeric with special characters;
3. 14.4.3Mandatory “Password Change” settings must be activated in all systems and applications. The password change for normal users must be at least once in ninety (90) calendar days and thirty (30) calendar days in the case of Administrators; and
4. 14.4.4“Auto Password Save” option must not be activated on any PC or in any work stations or for any applications.

1. 14.5.1Where the data is shared outside of own network or when the data is related to any card transactions, the Licensed Person must use stronger encryption techniques to suitably encrypt such data;
2. 14.5.2The customer and transaction database must be held/stored within the UAE;
3. 14.5.3Outside parties must not be given access to the customer/transaction database which must be held completely proprietary at all times. Restricted access may be given to the IT service provider, in case the IT function is outsourced, to carry out maintenance of computer hardware, network or applications;
4. 14.5.4Appropriate policies must be introduced for the back-up and off-site storage of back-up data of all enterprise servers, databases, network servers and system software;
5. 14.5.5The Licensed Person must have a procedure for the back-up of systems that may include details of back-up frequency, information to be backed-up, storage media, back-up retention period, recirculation of the media and periodical testing of the back-up copies for data availability; and
6. 14.5.6Disaster Recovery (DR) drills must be conducted at regular intervals to ensure that the DR set-up is functional.

1. 14.6.1All computer systems including servers, work stations, personal computers (PCs), laptops and other handheld devices must have appropriate anti-virus solutions to prevent information loss due to viruses, Trojans, worms and bots;
2. 14.6.2Anti-virus solutions on all computer systems must be updated automatically;
3. 14.6.3Daily automated antivirus scanning must be activated for every computer system and at the network level;
4. 14.6.4Anti-virus configuration settings must be comprehensive and robust to prevent vulnerabilities from all external interferences, malicious attacks and intrusions;
5. 14.6.5Antivirus scanning must be undertaken automatically at regular intervals;
6. 14.6.6All incoming and outgoing emails with files attached must be auto screened before the mail reaches the end user mail box. In case of doubt, the system must block such emails and automatically notify the IT team to carry out further investigation; and
7. 14.6.7Users must not be given privileges to alter the settings of the antivirus solutions.

1. 14.7.1All employees must be given training related to Information Security and a copy of the Information Security Policy at the time of joining;
2. 14.7.2Refresher training must be given annually at a minimum;
3. 14.7.3Employees of the Information Security Department must be provided with specialized annual training to remain updated with recent trends, threats and required controls in information security; and
4. 14.7.4The training plan, training registers, training materials, etc. must be held in the records for verification by the Central Bank.

1. 14.8.1All changes to the hardware, software, applications, databases, configuration, etc. must be subject to the formal change control procedures;
2. 14.8.2Changes to the application systems must be carried out only in accordance with approved change request process and subject to a formal risk assessment process; and
3. 14.8.3All changes must be tested under all possible scenarios before adding them into production.

1. 14.9.1The Licensed Person must conduct internal and external vulnerability scanning and penetration tests on the network and systems on an annual basis at a minimum and take appropriate mitigating actions in order to address the issues identified during such tests; and
2. 14.9.2The strength of the information security controls and IT Security controls must be audited by external experts at regular intervals, annually at a minimum, depending on the nature, size and complexity of the business.

1. 14.10.1The privilege to download software (licensed and not free or pirated software) must be given only to the designated IT person. Users of computers must not be allowed to download any software to computers;
2. 14.10.2The “Auto-logout” feature must be activated for all applications related to the business of the Licensed Person when they are not in use;
3. 14.10.3The “Auto-lock” feature must be available by using a screen saver password on all work stations or operating systems when they are not in use;
4. 14.10.4Appropriate Firewall systems and protection must be available for PCs, Servers, Operating Systems, Database and network equipment;
5. 14.10.5All the Operating systems, server machines, hardware equipment, system software, applications, utility programs, anti-virus programs must be licensed by the respective vendor at all times along with valid agreements;
6. 14.10.6The Licensed Person must review all warning notices issued by the Central Bank on cyber threats and take necessary actions immediately to ensure adequate protection to its computer systems against such threats; and
7. 14.10.7Cyber fraud/crime incidents must be immediately reported to the Banking Supervision Department and police authorities.